CVE-2024-35242 : Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.

Published 2024-06-10 22:15:10

Updated 2025-02-13 18:18:06

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2024-35242

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-35242

EPSS FAQ

5.49%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 90 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-35242

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	GitHub, Inc.	2024-06-10
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-35242

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2024-35242

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/

[SECURITY] Fedora 40 Update: composer-2.7.7-1.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf

Multiple command injections via malicious git/hg branch names · Advisory · composer/composer · GitHub
https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396

Merge pull request from GHSA-v9qv-c7wm-wgmf · composer/composer@6bd43df · GitHub
https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467

Merge pull request from GHSA-v9qv-c7wm-wgmf · composer/composer@fc57b93 · GitHub
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/

[SECURITY] Fedora 39 Update: composer-2.7.7-1.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-35242

Products affected by CVE-2024-35242

Exploit prediction scoring system (EPSS) score for CVE-2024-35242

CVSS scores for CVE-2024-35242

CWE ids for CVE-2024-35242

References for CVE-2024-35242